Current challenges in information security risk management
Author:
Fenz Stefan,Heurix Johannes,Neubauer Thomas,Pechstein Fabian
Abstract
Purpose
– The purpose of this paper is to give an overview of current risk management approaches and outline their commonalities and differences, evaluate current risk management approaches regarding their capability of supporting cost-efficient decisions without unnecessary security trade-offs, outline current fundamental problems in risk management based on industrial feedback and academic literature and provide potential solutions and research directions to address the identified problems. Despite decades of research, the information security risk management domain still faces numerous challenges which hinder risk managers to come up with sound risk management results.
Design/methodology/approach
– To identify the challenges in information security risk management, existing approaches are compared against each other, and as a result, an abstracted methodology is derived to align the problem and solution identification to its generic phases. The challenges have been identified based on literature surveys and industry feedback.
Findings
– As common problems at implementing information security risk management approaches, we identified the fields of asset and countermeasure inventory, asset value assignment, risk prediction, the overconfidence effect, knowledge sharing and risk vs. cost trade-offs. The reviewed risk management approaches do not explicitly provide mechanisms to support decision makers in making an appropriate risk versus cost trade-offs, but we identified academic approaches which fulfill this need.
Originality/value
– The paper provides a reference point for professionals and researchers by summing up the current challenges in the field of information security risk management. Therefore, the findings enable researchers to focus their work on the identified real-world challenges and thereby contribute to advance the information security risk management domain in a structured way. Practitioners can use the research results to identify common weaknesses and potential solutions in information security risk management programs.
Subject
Library and Information Sciences,Management Science and Operations Research,Business and International Management,Management Information Systems
Reference42 articles.
1. Alberts, C.
,
Dorofee, A.
,
Stevens, J.
and
Woody, C.
(2003),
Introduction to the OCTAVE Approach
, Carnegie Mellon University, Pittsburgh, PA. 2. Arora, A.
,
Hall, D.
,
Pinto, C.A.
,
Ramsey, D.
and
Telang, R.
(2004), “Measuring the risk-based value of IT security solutions”,
IT Professional
, Vol. 6 No. 6, pp. 35-42. 3. Baker, W.H.
,
Rees, L.P.
and
Tippett, P.S.
(2007), “Necessary measures: metric-driven information security risk assessment and decision making”,
Communication of the ACM
, Vol. 50 No. 10, pp. 101-106. 4. Bistarelli, S.
,
Fioravanti, F.
and
Peretti, P.
(2006), “Defense trees for economic evaluation of security investments”, Availability, Reliability and Security, 2006: the First International Conference on, IEEE, Vienna, p. 8. 5. Bistarelli, S.
,
Fioravanti, F.
and
Peretti, P.
(2007), “Using CP-nets as a guide for countermeasure selection”, proceedings of the 2007 ACM symposium on Applied computing, ACM, New York, NY, pp. 300-304.
Cited by
59 articles.
订阅此论文施引文献
订阅此论文施引文献,注册后可以免费订阅5篇论文的施引文献,订阅后可以查看论文全部施引文献
|
|